False positive on G304 (CWE-22) after filepath.EvalSymlinks

[roelvandergoot]

Summary

According to the function documentation:
// EvalSymlinks returns the path name after the evaluation of any symbolic
// links.
// If path is relative the result will be relative to the current directory,
// unless one of the components is an absolute symbolic link.
// EvalSymlinks calls [Clean] on the result.

Steps to reproduce the behavior

// Parse creates a configuration from a configuration file with name fileName.
func (c *Config) parse(fileName string) error {
    info, err := os.Lstat(fileName)
    if os.IsNotExist(err) {
        return err
    }
    mode := info.Mode()
    var filePath string
    if mode&os.ModeSymlink != 0 {
        var err error
        if filePath, err = filepath.EvalSymlinks(fileName); err != nil {
            return err
        }
        // Somehow gosec doesn't know that filepath.EvalSymlinks calls
        // filepath.Clean.
        filePath = filepath.Clean(filePath)
    } else {
        filePath = filepath.Clean(fileName)
    }

    file, err := os.ReadFile(filePath)
    if err != nil {
        return err
    }

    // ...
}

gosec version

go install github.com/securego/gosec/v2/cmd/gosec@latest

or

> gosec -version
Version: dev
Git tag:
Build date:

Go version (output of 'go version')

go version go1.22.2 linux/amd64

Operating system / Environment

Ubuntu 22.04

Expected behavior

I was hoping not to have to include the following three lines in my code example:

        // Somehow gosec doesn't know that filepath.EvalSymlinks calls
        // filepath.Clean.
        filePath = filepath.Clean(filePath)

Actual behavior

Without those lines gosec complains:

[/home/roel/git/rp/pkg/config/config.go:70] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    69:
  > 70:         file, err := os.ReadFile(filePath)
    71:         if err != nil {